There is a problem in accordance with the certificate expired https://github.com/strongit/kubeadm-ha/ cluster installation steps after the installation kubeadm init. Now repair as follows:
ideas are as follows,
1, to retain ca.crt ca.key front-proxy-ca.crt front -proxy-ca.key, the root certificate valid for 10 years
2, openssl re-endorsement
3, kubeadm alpha phase generated config
[root@k8s-master01 pki]# cat csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CN
ST = BeiJing
L = BeiJing
O = k8s
OU = System
CN = kubernetes
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = k8s-master01
DNS.7 = k8s-master02
DNS.8 = k8s-master03
IP.1 = 10.96.0.1
IP.2 = 100.82.200.190
IP.3 = 100.82.200.184
IP.4 = 100.82.200.187
IP.5 = 100.82.200.194
IP.6 = 10.220.8.184
IP.7 = 10.220.8.187
IP.8 = 10.220.8.190
IP.9 = 10.220.8.194
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -out apiserver.csr -config csr.conf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./apiserver.crt |grep "Not"
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config csr.conf
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./apiserver-kubelet-client.crt |grep "Not"
openssl genrsa -out front-proxy-client.key 2048
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -config csr.conf
openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./front-proxy-client.crt |grep "Not"
kubeadm alpha phase certs all --config kubeadm-config.yaml
kubeadm alpha phase kubelet config write-to-disk --config kubeadm-config.yaml
kubeadm alpha phase kubelet write-env-file --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig kubelet --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml
kubeadm alpha phase controlplane all --config kubeadm-config.yaml
systemctl restart kubelet
kubeadm alpha phase mark-master --config kubeadm-config.yaml
cp /etc/kubernetes/admin.conf ~/.kube/configAfter rebooting the cluster, perform kubelet logs pods XXXX -n kube-system given as follows: Error from server (Forbidden): Forbidden (user = kubernetes, verb = get, resource = nodes, subresource = proxy) (pods / log kube-scheduler- k8s-master01)
solution: kubectl create clusterrolebinding system: kubernetes --clusterrole = cluster-admin --user = system: kubernetes